RT RT/krbdev.mit.edu: Ticket #6782 Master KDC lookup can use SRV lookups despite profile KDC configuration Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
6782
Status
new
Worked
0 min
Priority
0/0
Queue
krb5
 

 Keyword Selections  
Component
Tags
Version_reported
Version_Fixed
Target_Version
 

 Relationships  
Depends on:
Depended on by:
Parents:
Children:

Refers to:
Referred to by:
  • 7721: (Nobody) master_kdc is resolved sooner than necessary [open]
 
 Dates  
Created: Fri Sep 17 13:34:54 2010
Starts: Not set
Started: Not set
Last Contact: Not set
Due: Not set
Updated: Tue Apr 8 14:19:53 2014 by ghudson
 

 People  
Owner
 Nobody
Requestors
 ghudson@mit.edu
Cc
 
AdminCc
 
 

 More about Greg Hudson  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 

History   Display mode: [Brief headers] [Full headers]
      Fri Sep 17 13:34:54 2010  ghudson - Ticket created    
     
Subject: Master KDC lookup can use SRV lookups despite local realm KDC

If a realm is defined in the profile with one or more kdc values but no
master_kdc variable is defined, krb5_sendto_kdc() will perform SRV
lookups in order to determine the master KDC value, even if there's only
one KDC defined.

It would be more admin-friendly and performant to use the first value of
"kdc" in the profile as the master KDC.


Download (untitled) 347b
      Fri Sep 17 13:35:26 2010  ghudson - Subject changed from Master KDC lookup can use SRV lookups despite local realm KDC configuration to Master KDC lookup can use SRV lookups despite profile KDC configuration    
      Tue Apr 10 14:06:21 2012  ghudson - Comments added    
     
Based on recent discussion here:

http://mailman.mit.edu/pipermail/krbdev/2012-April/010722.html

it would probably not be a good idea to assume that the first-listed KDC
is the master, especially while there is no protection against contacting
the same KDC a second time during the fallback to master.  We don't want
to do fallback in situations where it isn't desired; otherwise we can
cause extra account lockout strikes against a user who enters the wrong
password.

A more appropriate change would be to check if there are "kdc" values in
the profile realm configuration, and if so, not check DNS for a _master-
kdc record when looking for masters.


Download (untitled) 659b
      Tue Apr  8 14:19:53 2014  ghudson - Comments added    
     
The change I suggested above could alter the behavior of existing
environments.  Where there are widely distributed krb5.conf files
specifying kdc but not master_kdc entries, and a SRV record for kerberos-
master, we would be effectively disabling fallback to master.  This is the
case for ATHENA.MIT.EDU.

A more conservative change would be to support "master_kdc = ." or
something to explicitly suppress the master_kdc setting in the profile,
preventing a lookup in DNS.  I am not sure if we will go this route or
make the previously suggested change.


Download (untitled) 560b